[HN Gopher] GoDaddy Security Breach
___________________________________________________________________
GoDaddy Security Breach
Author : sumstock
Score : 265 points
Date : 2021-11-22 14:22 UTC (8 hours ago)
(HTM) web link (www.sec.gov)
(TXT) w3m dump (www.sec.gov)
| game_the0ry wrote:
| I saw a couple of comments saying to not use godaddy - why is
| that? I am a godaddy customer and have not been dissatisfied so
| far (excluding this data breach).
|
| I also see namecheap being recommended a lot. Are they the go-to
| for domain name registration?
| Kye wrote:
| At one point GoDaddy used a lot of dark patterns in their
| checkout and cancellation flows. Amazon's worst is relatively
| tame. I don't know if they cleaned up their act, but that's
| likely the source.
|
| Cloudflare offers domain registration now (not just transfers),
| and it's at cost, so I don't see a reason to not use it unless
| you need to set your own nameservers. That's a paid add-on with
| Cloudflare's registrar service.
| phaedryx wrote:
| Here's a list of reasons to avoid GoDaddy:
| https://en.wikipedia.org/wiki/GoDaddy#Controversies
|
| Also, I left because I thought their upsells and harassment
| were annoying.
| ryanlol wrote:
| Most of these don't really look too bad for godaddy, the
| first thing on your list paints them in a very positive
| light.
| dspillett wrote:
| I wouldn't say most, but some do not look bad for them.
| Some do look very bad for them IMO though, and some of
| those are why I've not used them for many years (some of
| them happened after I moved my things elsewhere).
|
| The point of that list is to enumerate significant
| controversies involving GoDaddy, not just those where they
| look particularly bad.
| tristor wrote:
| I used to work with a lot of former GoDaddy employees, based on
| what I was told they treat their employees horribly internally
| and are very much focused on nickle and diming their customers
| as much as possible without any desire to provide more than the
| bare minimum of service to prevent them from being sued for
| breach of contract.
|
| They are not a company I would ever do business with on the
| basis of that alone.
| [deleted]
| riekus wrote:
| GoDaddy has a done a lot of shady shit in the past at least. I
| got a couple of own incidents with them. One where I paid the
| fee for domain brokerage/negotiation with the owner where they
| took the money and never responded again.
| cpach wrote:
| GoDaddy has been in the news over the past twenty years for
| questionable business practices.
|
| I prefer Dynadot (US company). I've also heard good things
| about Gandi (French company). You can also transfer (but not
| register) domains to Cloudflare.
| jgrahamc wrote:
| You can register domains with Cloudflare also:
| https://blog.cloudflare.com/registrar-for-everyone/
| rstupek wrote:
| Do you know if/when cloud flare will offer registration/
| renewal through an api?
| ryanlol wrote:
| Gandi will suspend your domains for no reason and hold them
| hostage until you provide photographic ID proof, stay away.
| mikro2nd wrote:
| Really? I've been dealing with Gandi for something like 20
| years and have never before now heard of anything like
| this, nor experienced it.
|
| Some evidence, please.
| denton-scratch wrote:
| I also rate Gandi. I'm also surprised to hear of
| shenanigans.
|
| But the GP's story is about identity verification; I
| don't see that as a particularly egregious "shenanigan".
| ohyeshedid wrote:
| Can't speak to that specific complaint, but Gandi has had
| other issues in the past.[0]
|
| [0] https://news.ycombinator.com/item?id=22001822
| freedomben wrote:
| I bought domains through them many years ago and transferring
| them out was an absolute and utter (intentional on GoDaddy's
| part) nightmare.
|
| Even today, I have one domain that I inherited that has been
| nearly impossible to transfer out, even after talking to
| support personnel. They keep blaming the receiving registrar
| even though all the evidence points to GoDaddy's system). I
| don't know if it's malice or incompetence, but it's kind of
| hard to tell the difference at this point and give then very
| real malice in their past, I'm disinclined to give them too
| much benefit of the doubt.
|
| Lastly I can't prove it, but about 10 years ago or so I'm
| pretty sure they bought a domain name that I had been searching
| using their search tool but was on the fence about buying. When
| I finally did decide to buy it, it had been registered but was
| "available" to buy through GoDaddy at a nice markup. I saw
| online (at the time) several other anecdotes of the same thing.
|
| For those wondering what I use now: hover.com has been great to
| me for many years. I do have an increasing number on Cloudflare
| as well.
| 1cvmask wrote:
| No surprise at all that this happened. They had not turned on
| multi-factor authentication and hackers got in through a static
| password. Over 80% of data breaches are through static passwords.
|
| From the official GoDaddy statement:
|
| Using a compromised password, an unauthorized third party
| accessed the provisioning system in our legacy code base for
| Managed WordPress.
|
| -
|
| This could have been an easily avoidable data breach.
| polote wrote:
| > This could have been an easily avoidable data breach.
|
| Like Twitter has done it
| https://en.wikipedia.org/wiki/2020_Twitter_account_hijacking ?
|
| It is super easy to give lessons after the fact
| paulpauper wrote:
| A static password is fine if you have a good strength and rate
| limiting or other ways to prevent brute forcing
| vimda wrote:
| It's really not... Password reuse, other breaches, there's
| many ways a password can be leaked that isn't bruteforcing.
| Considering how low the barrier to entry to 2fa is, there
| really is no excuse these days
| bilekas wrote:
| But they said :
|
| > We, GoDaddy leadership and employees, take our responsibility
| to protect our customers' data very seriously
|
| So that makes it okay right ?
| gizdan wrote:
| Totally makes it okay! I assume that's _after_ the data is
| stolen and sold.
| Zancarius wrote:
| See, the trick is to sell customer data _before_ the bad
| guys get it!
| kreeben wrote:
| No. You should only work with partners who take that
| responsibility extremely seriously. "Very" is an order of
| magnitude too low.
| cpach wrote:
| I'm pretty sure 'bilekas was being sarcastic :)
| RankingMember wrote:
| kreeben was continuing the joke
| mooreds wrote:
| > Over 80% of data breaches are through static passwords.
|
| Static passwords are bad, for sure. But do you have a source
| for this?
| alexis2b wrote:
| Over 80% of statistics posted in comments are made on the
| spot.
| mellavora wrote:
| no, the correct figure is 78%
| 1cvmask wrote:
| The figure that I used was one from the Verizon Data
| Breach report in 2017 of 81%.
|
| Page 5 in the executive summary:
|
| https://www.verizon.com/business/resources/reports/2017_d
| bir...
| 1cvmask wrote:
| See page 5 of the Verizon report and the number is 81%:
|
| https://www.verizon.com/business/resources/reports/2017_dbir.
| ..
| mooreds wrote:
| Awesome, thanks for sharing that link from 2017.
|
| For everyone not going to go to the PDF, the text is "81%
| of hacking-related breaches leveraged either stolen and/or
| weak passwords."
|
| So I'm not sure that you can say that all data breaches are
| related to static passwords, but it sure a big number and a
| problem.
|
| I looked at the 2020 Verizon report, but unfortunately they
| changed their methodology or reporting so I didn't see a
| figure for that year for "hacking-related breaches".
| sebow wrote:
| >This looks interesting, godaddy breach reported by sec, let me
| click:
|
| >Wordpress
|
| >Oh... nevermind
| bilekas wrote:
| > For active customers, sFTP and database usernames and passwords
| were exposed. We reset both passwords.
|
| > For a subset of active customers, the SSL private key was
| exposed. We are in the process of issuing and installing new
| certificates for those customers.
|
| Wow.. That's quite severe.. From September 6th to November 17th..
| I wonder will they do a full impact summary after they figure it
| out internally.
| [deleted]
| busterarm wrote:
| I've met Demetrius and he's a smart, capable security
| professional who has already done a lot to bring GoDaddy up to
| shape. This is a an unfortunate miss for them after years of
| hard work to rectify these kinds of issues.
| denton-scratch wrote:
| Unfortunately, 20 years of treating customers like dirt can't
| be washed-away by hiring one capable security professional.
| For dirt customers like me, the best way of judging a service
| provider is past form.
|
| I don't buy from companies with a bad history. It's not some
| kind of behaviour-modification strategy; it's just self-
| preservation.
| lvice wrote:
| I hope they are talking about hashed passwords. There is no
| reason why in 2021 passwords can be recovered in clear text,
| even in a legacy code base...
| maccolgan wrote:
| It's about the database and SFTP usernames and passwords, how
| can you hash them?
| joecool1029 wrote:
| Can we not editorialize the titles?
|
| This is the title: GoDaddy Announces Security Incident Affecting
| Managed WordPress Service
|
| Saying this is a breach sounds more generalized and makes
| exponentially more people click the bait to see if their domain
| accounts were hit (they weren't).
| slownews45 wrote:
| Agreed. Headlines have just gotten terrible.
| nathanaldensr wrote:
| > Chief Information Security Officer
|
| > Our WordPress password was leaked or exposed--likely due to
| utter imcompetence--and no 2FA was in use.
|
| Man, when can _I_ become a Chief Information Security Officer? I
| could do a better job in my sleep.
| vmception wrote:
| > I could do a better job in my sleep.
|
| when you're ready, you won't have to
| imroot wrote:
| There was a fair amount of fallout from this with other services
| as well -- customers who were hosted on GoDaddy but had their
| accounts compromised had other services spun up with their domain
| and their credentials.
|
| I know that the company I work for was hit at least once by this,
| until we implemented stronger KYC checks.
| ed25519FUUU wrote:
| At least they didn't try and blame their incompetence on
| "sophisticated foreign hackers, possibly Russian"
| jodrellblank wrote:
| I had a domain with them for years, a couple months ago they
| ditched their entire IMAP/POP3/SMTP email platform and moved all
| customers to a trial of Microsoft Office365.
|
| I guess that was another part of their 'legacy platform'?
|
| I transferred the domain to Gandi which offers a couple of email
| addresses with each domain, something I kept putting off
| expecting GoDaddy to make it difficult, but it was fine.
|
| But I do wonder how competent a registrar/web/email tech company
| is if they can't run email services, and now apparently can't run
| websites securely either? I spent a while mulling Fastmail and
| Rollernet and Mxroute vs paying for Office365 and thinking about
| how impossible it is to know if a company has the tech skills to
| back their product offering - and then if they actually do use
| them - or are just marketing.
| [deleted]
| hateful wrote:
| This was my excuse to move to Fastmail - I was "forwarding"
| (actually POP3ing) my email into Gmail from GoDaddy. Now it's
| all in Fastmail. It was also losing the catch-all address that
| was unacceptable at the time.
| PopAlongKid wrote:
| > they ditched their entire IMAP/POP3/SMTP email platform and
| moved all customers to a trial of Microsoft Office365
|
| For browser access to your mailbox, yes they did move to
| Office365 (free, not a trial), but POP3 and SMTP still work
| just fine, no change required.
|
| I have been using GoDaddy for many years for a handful of
| domains, including my own business, and have had no problems
| using their interface and avoiding paying for add-on products.
| rvz wrote:
| * Up to 1.2 million active and inactive Managed WordPress
| customers had their email address and customer number exposed.
| The exposure of email addresses presents risk of phishing
| attacks. * The original WordPress Admin password that
| was set at the time of provisioning was exposed. If those
| credentials were still in use, we reset those passwords.
| * For active customers, sFTP and database usernames and passwords
| were exposed. We reset both passwords. * For a subset
| of active customers, the SSL private key was exposed. We are in
| the process of issuing and installing new certificates for those
| customers.
|
| Oh dear. No mention of 2FA mechanisms here. So does that mean
| GoDaddy's security is not good enough or is in fact very poor?
|
| No different to Epik's security breach I guess, but not the worst
| security breach I've seen in a long time when compared with
| Twitch [0].
|
| [0] https://news.ycombinator.com/item?id=28771465
| cpach wrote:
| IMO: Friends don't let friends use GoDaddy.
| unstatusthequo wrote:
| Or Network Solutions... which, dare I say, is even worse.
| Turing_Machine wrote:
| Pretty much all of them are bad/evil in some way, but some
| are worse than others.
| _nickwhite wrote:
| Us greybeards have been around long enough to experience
| several of these bad/evil domain registrars. One common
| path I see has been:
|
| Network Solutions -> GoDaddy -> Namecheap -> Google Domains
| OR CloudFlare Domains
|
| Seriously, if anyone is still using Netsol or Godaddy,
| there are much better alternatives, and it's very easy to
| make the transition- I've helped a good handful of friends.
| junon wrote:
| I use Gandi these days.
| good8675309 wrote:
| I use NameCheap. I would never use a company like Google
| where I can't at least call and talk to someone. Also,
| there are stories like this where someone gets their
| Google account locked for some random reason and all of
| the sudden your domain is now locked as well:
| https://news.ycombinator.com/item?id=4825445
| xmprt wrote:
| Thoughts on Hover vs Namecheap? I've been using Hover for
| a while now and they haven't given me any issues but I
| wonder if there's something better out there that I just
| haven't looked into.
| Turing_Machine wrote:
| I've never used Google as a domain registrar. They're
| evil enough for other reasons that I wouldn't feel
| comfortable doing that.
| rockbruno wrote:
| GoDaddy has the weirdest tech stack/tech support combination I
| have ever seen. I once had an issue where I was unable to update
| my credit card information, so I contacted their support. Their
| support process is basically having you give them full access to
| your account and then having the support person navigate your
| account like a regular user to see what problem you're facing.
| So, because I had a problem with the payment flow, she literally
| asked for my credit card information so she could see which error
| I was seeing. I was cool headed enough to explain why that was a
| ridiculous request but hanged up after that. No wonder they got
| hacked.
| elliekelly wrote:
| I'm almost afraid to ask but... how long ago did this happen?
| croutonwagon wrote:
| Godaddy has some bad practices.
|
| They used to randomly call us, and then ask US to verify our
| accounts, passcodes in order for them to tell us a domain was
| close to expiration.
|
| Not an email. An unsolicited phone call where I have to
| validate my information.
|
| I told them that was phishing 101 tactic and a bad practice to
| train users on. And if a call is standard, a user may
| reasonably assume an email may be too.
|
| Ultimately they just removed my from their call list.
|
| It was one of the most asinine things I've seen. It reminds me
| I need to move my companies domains to hover.
| dang wrote:
| There's a summary here, which seems to be reporting on the OP:
| https://www.wordfence.com/blog/2021/11/godaddy-breach-plaint....
|
| (Via https://news.ycombinator.com/item?id=29311286, but no
| comments there)
| CodinM wrote:
| Story Time A few years ago I woke up before going to work and
| noticed I have a few emails for automatic renewal for some
| domains I didn't remember buying on GoDaddy - which I wasn't
| using anymore for anything important.
|
| Upon investigating I found out a turkish person was using my
| account for some scams with crypto alongside a few real-world
| websites he built for business in Ankara. I went to the police,
| gave them all the evidence (just so I'm safe legally from the
| scams he was running in my name, with stolen credit cards that
| were using my address - but in Ankara not my location), and
| GoDaddy failed to answer to the local authorities, after 1 year
| the investigation was shutdown because of lack of cooperation
| from GoDaddy's side.
| IYasha wrote:
| Good place to ask for alternatives, I suppose. Are there any?
|
| Is NameSilo any better? I can't just go for OpenNIC domain
| because I have to have email accessible to other servers. :(
| chrisco255 wrote:
| I been using iwantmyname.com for years. It's simple to search,
| simple to add integrations, and always been reliable on domain
| renewals for me. It's New Zealand based I believe.
| andrewguenther wrote:
| There's tons. Google domains, name.com, almost anyone but
| GoDaddy
| ushakov wrote:
| <removed>
| uncletammy wrote:
| Simply calling a thing you don't like "a scam" is lazy and
| unproductive. If you have an argument to make against Godaddy
| (there are plenty to be made), please do so.
| Turing_Machine wrote:
| Seriously, any flavor of WordPress is just a breach waiting to
| happen. It's not a question of "if", it's a question of "when".
|
| I understand that it's easy to use from a writer's point of view
| (after you get it installed, or if someone else is installing it
| for you), and that there are all kinds of third-party plugins and
| support available, but man, that codebase is a gigantic steaming
| pile of technical debt.
| tyingq wrote:
| It is much better than it used to be. They seem to have finally
| gotten automatic updates of the core and plugins working
| reasonably. But, yes, there's some pretty ugly stuff in there.
| Like things that appear to be proper parameterized SQL queries,
| but are not if you look behind the curtain:
| https://github.com/WordPress/WordPress/blob/807cba060e30a670...
| iamricks wrote:
| We once had a domain stolen because somebody called GoDaddy and
| was able to get the 2FA code removed with a phone call and they
| had some leaked email credentials for the account.
|
| We had to call GoDaddy and cancel the domain transfer, they would
| give us no information on how it happened.
| bhartzer wrote:
| I can tell you that unfortunately that's not an isolated case.
| We recover stolen domain names, and it happens quite often
| (that someone gets into a GoDaddy account and is able to remove
| 2FA).
| marcc wrote:
| Why are we reading this on the SEC site and not the GoDaddy site?
| I did a quick search and can't find a disclosure on their site.
| If it's there, it's not easy to find.
|
| Security incidents are going to happen. This particular incident
| looks to be avoidable (static passwords!). What we should judge
| the company on is their response and transparency. GoDaddy
| disclosed, but a new customer on the site wouldn't find this.
| They also used phrases like "affects our Legacy WordPress
| Platform" probably to attempt to shift a little blame from the
| current team or minimize the fall out.
|
| When you have a security incident, be transparent, own it, and
| deal with it. We can tell when you are trying to sweep it under
| the rug and hide, and that's bad. This is an opportunity for an
| org to show that they put customers first and shine.
| blablabla123 wrote:
| That's at least the 2nd funny thing happening with GoDaddy. I
| stopped using them years ago.
| neom wrote:
| The URL contains "gddyblogpostnov222021" - and at the bottom
| the FLS mentioned blog post, so I guess the SEC didn't adhere
| to their press embargo on the blog post? ;)
| hellbannedguy wrote:
| Godaddy has always been a slimy registrar.
|
| Amyone who has registered with them knows this.
|
| Go with Goole for $13. You will never hear from them. You won't
| have to worry about drug fueled marking bs, or unethical
| behavior.
| bagels wrote:
| Google?
| verdverm wrote:
| https://domains.google.com
|
| Also a long time happy customer.
| cycomanic wrote:
| I realise that you are talking about behavior as a registrar,
| but it's somewhat ironic that you mention google and no
| unethical behavior in the same sentence.
| hackmiester wrote:
| I absolutely hate Google, but if it was between them and
| GoDaddy, I think I'd pick Google.
|
| If I had any choice, though, it'd be Gandi or Namecheap.
| zinekeller wrote:
| Google Domains has indeed been a very professional and no-BS
| operation. Shame though that their other businesses are...
| not in a good spotlight.
|
| Edit: Whoops, CRR operates certain gTLDs, Google LLC operates
| the buy-a-domain registrar.
| RHSeeger wrote:
| And if you ever have a problem with them, you _still_ won't
| hear from them.
| secondaryacct wrote:
| Sorry but they are contacting every impacted customers and
| changing their secrets.
|
| You work in a company too, what matters ? That the random
| raging virgins on HN bask in your failure, or that every
| impacted client knows something happened ?
| [deleted]
| elliekelly wrote:
| Management doesn't put customers first. They put themselves
| (management) first closely followed by investors. The SEC
| recently indicated they'd be focusing enforcement on
| cybersecurity incident disclosures. Particularly on timely
| disclosures (not waiting 6 months from discovery to disclosure,
| for example).
|
| That might be the only reason we're even reading about this at
| all.
| skeeter2020 wrote:
| >> Why are we reading this on the SEC site and not the GoDaddy
| site?
|
| This is typically by design and public relations 101. If you
| don't link "bad" content to your domain it's easier to make it
| disappear in the future. It's why a company purchases "our-
| data-breach.net" to handle a public incident instead of just a
| sub domain or deeply linked page. No long-lived anti-SEO
| legrande wrote:
| From my experience with GoDaddy, the amount of dark patterns
| using the service was astonishing. It made me move to better
| hosting providers. They always try to up-sell you stuff, and tack
| on all these additional features that you have to opt out of when
| buying something. You have to be real careful on there in-case
| you buy something you didn't want. Also their UI is really messy
| and things are buried in multiple deep links and menus. One out
| of five, do not recommend. It's no wonder they suffered a breach.
| Dave_TRS wrote:
| The dark patterns are so ridiculous I almost get a little
| enjoyment out of it like playing a game. When you sign up for a
| domain name it's a mini mission to get past the 5 separate
| screens of upselling and clicking the small Skip link and not
| the big green Continue button. If you're not paying close
| attention you get to your cart and there's extra crap in there,
| and you have to restart the level.
| unclebucknasty wrote:
| After using them for simple domain name registration, I can't
| imagine using them for something more complex, like hosting.
|
| The UI is so bad that just figuring out how the contact info
| they collect in multiple places is used is near-impossible.
___________________________________________________________________
(page generated 2021-11-22 23:01 UTC)